TF 0487 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --authorization-mode argument is not set to AlwaysAllow
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The Kubernetes API server is configured with the --authorization-mode set to AlwaysAllow, which disables authorization checks and permits all API requests without restriction. This setting bypasses access controls, making the cluster insecure.
Impact
With authorization checks disabled, any user or service with API access can perform any action on the cluster, including modifying resources, accessing sensitive data, or disrupting workloads. This exposes the entire Kubernetes environment to unauthorized changes or potential compromise.
Resolution
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --authorization-mode parameter to values other than AlwaysAllow.